AONT (All-or-Nothing Transform) is a kind of (n, n)-threshold secret sharing scheme that distributes a message m into a set of n shares such that the message m can be reconstructed if and only if n shares are collected. At CRYPTO 2000, Desai proposed a simple and faster AONT based on the CTR mode of encryption (called CTRT) and proved its security in the ideal cipher model. Though AES-128, whose key length k = 128 and block length l = 128, can be used in CTRT as a block cipher, AES-256 and AES-192 cannot be used due to its intrinsic restriction of k ≤ l. In this paper, we propose an extended CTRT (for short, XCTRT) suitable for AES-256. By thoroughly evaluating all the tricky cases, we prove that XCTRT is secure in the ideal cipher model under the same CTRT security definition. Also, we discuss the security result of XCTRT in concrete parameter settings. For more flexibility of key length, we propose a variant of XCTRT dealing with l<k ≤ 2l by slightly modifying the construction of the last block. After showing implementation details and performance evaluation of CTRT, XCTRT, and the variant, we can say that our XCTRT and its variant have high-speed encoding and decoding performance and are quite practical enough to be deployed in real-world applications.
SeongHan SHIN
National Institute of Advanced Industrial Science and Technology (AIST)
Shota YAMADA
National Institute of Advanced Industrial Science and Technology (AIST)
Goichiro HANAOKA
National Institute of Advanced Industrial Science and Technology (AIST)
Yusuke ISHIDA
ZenmuTech Inc.
Atsushi KUNII
ZenmuTech Inc.
Junichi OKETANI
ZenmuTech Inc.
Shimpei KUNII
ZenmuTech Inc.
Kiyoshi TOMOMURA
ZenmuTech Inc.
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Copy
SeongHan SHIN, Shota YAMADA, Goichiro HANAOKA, Yusuke ISHIDA, Atsushi KUNII, Junichi OKETANI, Shimpei KUNII, Kiyoshi TOMOMURA, "How to Extend CTRT for AES-256 and AES-192" in IEICE TRANSACTIONS on Fundamentals,
vol. E105-A, no. 8, pp. 1121-1133, August 2022, doi: 10.1587/transfun.2021EAP1082.
Abstract: AONT (All-or-Nothing Transform) is a kind of (n, n)-threshold secret sharing scheme that distributes a message m into a set of n shares such that the message m can be reconstructed if and only if n shares are collected. At CRYPTO 2000, Desai proposed a simple and faster AONT based on the CTR mode of encryption (called CTRT) and proved its security in the ideal cipher model. Though AES-128, whose key length k = 128 and block length l = 128, can be used in CTRT as a block cipher, AES-256 and AES-192 cannot be used due to its intrinsic restriction of k ≤ l. In this paper, we propose an extended CTRT (for short, XCTRT) suitable for AES-256. By thoroughly evaluating all the tricky cases, we prove that XCTRT is secure in the ideal cipher model under the same CTRT security definition. Also, we discuss the security result of XCTRT in concrete parameter settings. For more flexibility of key length, we propose a variant of XCTRT dealing with l<k ≤ 2l by slightly modifying the construction of the last block. After showing implementation details and performance evaluation of CTRT, XCTRT, and the variant, we can say that our XCTRT and its variant have high-speed encoding and decoding performance and are quite practical enough to be deployed in real-world applications.
URL: https://global.ieice.org/en_transactions/fundamentals/10.1587/transfun.2021EAP1082/_p
Copy
@ARTICLE{e105-a_8_1121,
author={SeongHan SHIN, Shota YAMADA, Goichiro HANAOKA, Yusuke ISHIDA, Atsushi KUNII, Junichi OKETANI, Shimpei KUNII, Kiyoshi TOMOMURA, },
journal={IEICE TRANSACTIONS on Fundamentals},
title={How to Extend CTRT for AES-256 and AES-192},
year={2022},
volume={E105-A},
number={8},
pages={1121-1133},
abstract={AONT (All-or-Nothing Transform) is a kind of (n, n)-threshold secret sharing scheme that distributes a message m into a set of n shares such that the message m can be reconstructed if and only if n shares are collected. At CRYPTO 2000, Desai proposed a simple and faster AONT based on the CTR mode of encryption (called CTRT) and proved its security in the ideal cipher model. Though AES-128, whose key length k = 128 and block length l = 128, can be used in CTRT as a block cipher, AES-256 and AES-192 cannot be used due to its intrinsic restriction of k ≤ l. In this paper, we propose an extended CTRT (for short, XCTRT) suitable for AES-256. By thoroughly evaluating all the tricky cases, we prove that XCTRT is secure in the ideal cipher model under the same CTRT security definition. Also, we discuss the security result of XCTRT in concrete parameter settings. For more flexibility of key length, we propose a variant of XCTRT dealing with l<k ≤ 2l by slightly modifying the construction of the last block. After showing implementation details and performance evaluation of CTRT, XCTRT, and the variant, we can say that our XCTRT and its variant have high-speed encoding and decoding performance and are quite practical enough to be deployed in real-world applications.},
keywords={},
doi={10.1587/transfun.2021EAP1082},
ISSN={1745-1337},
month={August},}
Copy
TY - JOUR
TI - How to Extend CTRT for AES-256 and AES-192
T2 - IEICE TRANSACTIONS on Fundamentals
SP - 1121
EP - 1133
AU - SeongHan SHIN
AU - Shota YAMADA
AU - Goichiro HANAOKA
AU - Yusuke ISHIDA
AU - Atsushi KUNII
AU - Junichi OKETANI
AU - Shimpei KUNII
AU - Kiyoshi TOMOMURA
PY - 2022
DO - 10.1587/transfun.2021EAP1082
JO - IEICE TRANSACTIONS on Fundamentals
SN - 1745-1337
VL - E105-A
IS - 8
JA - IEICE TRANSACTIONS on Fundamentals
Y1 - August 2022
AB - AONT (All-or-Nothing Transform) is a kind of (n, n)-threshold secret sharing scheme that distributes a message m into a set of n shares such that the message m can be reconstructed if and only if n shares are collected. At CRYPTO 2000, Desai proposed a simple and faster AONT based on the CTR mode of encryption (called CTRT) and proved its security in the ideal cipher model. Though AES-128, whose key length k = 128 and block length l = 128, can be used in CTRT as a block cipher, AES-256 and AES-192 cannot be used due to its intrinsic restriction of k ≤ l. In this paper, we propose an extended CTRT (for short, XCTRT) suitable for AES-256. By thoroughly evaluating all the tricky cases, we prove that XCTRT is secure in the ideal cipher model under the same CTRT security definition. Also, we discuss the security result of XCTRT in concrete parameter settings. For more flexibility of key length, we propose a variant of XCTRT dealing with l<k ≤ 2l by slightly modifying the construction of the last block. After showing implementation details and performance evaluation of CTRT, XCTRT, and the variant, we can say that our XCTRT and its variant have high-speed encoding and decoding performance and are quite practical enough to be deployed in real-world applications.
ER -